A critical security vulnerability has been discovered in the wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin, a popular plugin used by WordPress websites to create dynamic tables and charts.
The vulnerability, CVE-2024-3820, allows attackers to perform SQL injection via the ‘id_key’ parameter of the wdt_delete_table_row AJAX action. This flaw affects all versions of the plugin up to and including 6.3.1.
Details of the Vulnerability – CVE-2024-3820
According to the WordFence blogs, the vulnerability arises due to insufficient escaping of user-supplied parameters and insufficient preparation on the existing SQL query.
This allows unauthenticated attackers to append additional SQL queries to already existing queries, potentially extracting sensitive information from the database.
It is important to note that this vulnerability only affects the premium version of the wpDataTables plugin.
Given the critical nature of this vulnerability, it poses a significant risk to websites using the affected versions of the wpDataTables plugin.
All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo
Attackers exploiting this flaw can gain unauthorized access to sensitive information stored in the database, leading to data breaches, loss of confidential information, and potential damage to the website’s reputation.
Mitigation
Website administrators using the wpDataTables plugin are strongly advised to:
- Update the Plugin: Ensure the plugin is updated to the latest version as soon as the developers release a patch.
- Monitor for Unusual Activity: Check the website’s logs and database for any unusual activity that could indicate an attempted or successful exploitation.
- Implement Web Application Firewalls (WAF): Use a WAF to help detect and block SQL injection attempts.
The discovery of CVE-2024-3820 highlights the importance of regular security audits and updates for WordPress plugins.
Website administrators must remain vigilant and proactive in addressing vulnerabilities to protect their sites from potential attacks.
The wpDataTables plugin developers are expected to release a patch soon, and users are urged to apply it immediately to mitigate the risk.
For more information and updates on this vulnerability, stay tuned to security advisories and the official wpDataTables plugin website.
Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.